Business and Legal Insights

Imagine receiving a cease-and-desist letter from a business rival accusing your company of violating federal and state computer hacking laws. Your mind begins to race. Did an employee go rogue and commit corporate espionage? You scan through the letter for details – only to learn your company is being accused of simply visiting a competitor’s public website. They are demanding you stop trespassing immediately.

Is this a joke, you ask, or could merely visiting a website be a computer crime?

A decision of the United States Court of Appeals for the Ninth Circuit has thrown the issue of computer trespass into the spotlight. The case involves Facebook and a now-defunct social media startup, Power Ventures (“Power”). Power had sought to offer users a centralized location where they could post to all of their social media sites at the same time. Power and its chief executive and founder, Steve Vachani, were defendants in the case.

Trouble arose when Power launched a promotion encouraging users to bring friends to its site. If a user clicked on an icon, Power caused a message to be sent to the user’s friends within the Facebook system. Facebook never approved this, and Power had not registered as a third-party developer with Facebook. Facebook sent a cease and desist letter to Power and eventually blocked the startup from accessing Facebook from its Internet Protocol (“IP”) address. Power switched IP addresses and continued to access Facebook.

Facebook sued Power, alleging violations of the federal Computer Fraud and Abuse Act (“CFAA”) and a related California statute, among other things. The CFAA prohibits “intentionally accessing a computer without authorization or exceeding authorized access, and thereby obtaining … information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). The CFAA provides for criminal penalties and civil liability.

On appeal, the Ninth Circuit concluded that Power did not initially violate the CFAA because Power users gave Power permission to access Facebook. However, Power did violate the CFAA when it continued to access Facebook after Facebook rescinded permission (i.e. the cease and desist letter).

The court set forth two basic rules. A defendant can “run afoul” of the CFAA when it accesses a computer if it has no permission or when such permission has been revoked explicitly. The court noted that “[o]nce permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.” Second, “a violation of the terms of use of a website — without more — cannot be the basis for liability under the CFAA.” The court explicitly did not decide “whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.”

The concept of trespass may seem strange when it comes to public websites. If visiting a public (not password-protected) site is as simple as clicking on a link from a search engine or typing in a web address, one would think the site is presumptively open to the public, like a park, library, or mall. It’s unclear whether that’s the case. In Facebook v. Vachani, the Ninth Circuit – the federal appellate court with jurisdiction over Silicon Valley and Seattle – passed on this basic question. The court did, however, explain that it can be a crime to access a computer after being instructed not to do so.

Some scholars, including Professor Orin Kerr of The George Washington University Law School, have read the Ninth Circuit’s decision broadly. They believe the court is advising that it is a federal crime for a person to visit a public website after being told not to visit it.

If that is truly the holding, the implications will be far reaching. Company A could instruct Competitor B not to visit Company A’s website or face criminal charges. News media could ban the subjects of controversial articles from reading those very articles. An online bully could create a website targeting an individual and ban that individual from visiting the site, even if he is merely attempting to gain information for a potential lawsuit against the bully. The scenarios are endless.

There is a narrower way to read this case. Rather than saying it’s a crime to merely visit a public website after being told not to do so, the Ninth Circuit could be saying it’s a crime to access a password-protected account on a public website after being told not to do so.

Other cases have rejected the notion that visiting a public website and/or violating a website’s terms of service, without more, is a violation of the CFAA. See e.g., Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927, 932-33 (E.D. Va. 2010) (granting motion to dismiss CFAA claim because alleged unauthorized “scraping” of information from website was not a violation, since site was not password protected and users weren’t required to manifest assent to terms of use); United States v. Drew, 259 F.R.D. 449, 467 (C.D. Cal. 2009) (dismissing the indictment against a defendant who had been found guilty of a misdemeanor violation of the CFAA for unauthorized access based on the defendant’s “conscious breach of a website’s terms of service” in the form of creating a fictitious MySpace account).

How ever one reads Facebook v. Vachani, it’s important to take seriously any demand that one cease and desist from visiting a website or accessing a computer, no matter how public the website or computer seems. The law of computer trespass is ambiguous. Until the Ninth Circuit or the U.S. Supreme Court clarifies what constitutes a violation of the CFAA, or until Congress amends the statute, some will surely find ways to exploit the broad language in this case.

Related Links:

• 9th Circuit: It’s a federal crime to visit a website after being told not to visit it

• Facebook v. Power Ventures